What do I have to do to secure a WiFi network? Is there any best practices?

I have been recommended to use WPA2 encryption on the router, is that enough? What can I do to improve the security even more? Is it recommended to only allow specific MAC-addresses, or isn't that needed?

I have heard that if someone else set up a WiFi net with the same SSID and stronger signal strength, my computer will connect to that network instead of my own. What can I do to protect against that?

6 Answers
6

I take it when you say WPA2 you mean WPA2-Personal. It is good enough in most cases at the moment as long as its combined with a really good password. https://www.grc.com/passwords.htm is a good generator for them.

Disable Wi-Fi Protected Setup (WPS). Otherwise, an attacker only needs to break an 8 digit PIN -- and that is perfectly doable.

Cloak your SSID. It won't stop a determined attacker but will stop some of the script kiddie like attackers.

Only allowing specific MAC addresses can be a good step to manage user access. But once again won't really slow down a determined attacker, as they can just see what MAC addresses are currently connected to wireless in plain text anyway.

If possible a good tactic to reduce the chance of your WiFi being attacked is to position your wireless access point well so that the minimum amount of signal is broadcast outside of your building. That way the attacker needs to be closer to start the attack unless they have improved wireless antennas to grab from miles away.

Yes people can broadcast a stronger signal to try and get you to connect to them instead of your actual desired access point using tools like Karma. I don't know any specific ways to protect against this except not to allow any automatic associations instead each time you wish to connect to wireless, you should do it manually and verify you are connecting to the correct access point.

I completely agree with you Marcin. Hence why I said Script Kiddie deterrent only for SSID and MAC address only good for user control.
–
Mark DavidsonNov 27 '10 at 22:59

Windows 7 and others already natively discover routers that are "cloaked" so that part is worse than useless as it gives a false sense of security where none exists. Not even against script kiddies. +1 for the other items.
–
NotMeDec 21 '10 at 15:57

I agree with all the points mentioned so far, and as both Mark Davidson and sdanelson have mentioned radio coverage I just wanted to slightly expand on this as there are a couple of areas:

Signal strength - generally you want to use the minimum signal strength possible in a particular area, so an attacker outside your side can't gain access, but this can leave you open to an Evil Twin attack if a malicious access point copies your SSID and uses a much higher signal strength.

A solution is to think of your propagation paths - locating your access points around the outside of your site with antennae configured to be directional into your site will help a lot as you can increase the access point signal strength (so looking stronger to the clients) without propagating your signal so far outside the side.

A simpler, but more effective solution I have seen (which may be overkill for you - I have seen it used in a very sensitive establishment) is metal clad walls and ceiling with mesh in the windows - a wireless site survey of this site picked up zero RF leakage!

Security through Obscurity - in this case hiding SSID beacons - gives you a false sense of security. Your Access Point will still broadcast SSID, just not in the beacon frames. Many ordinary users will still be able to connect as drivers for many platforms will still identify the SSID, and all attackers will be able to find you as they normally would - try any of the tools on the Russix LiveCD and they will work quite happily with SSID broadcast disabled.

I generally disagree with using signal strength as a security mechanism. Unless your network is kept in a shielded building/room, an attacker's ability to hear your network is beyond your control. Additionally, this approach has the down-sides of potentially impacting the usability of your network and/or adding more complexity to its design requirements.
–
IsziJun 19 '12 at 18:12

The single best "wireless" security model is to replace those wireless routers with regular CAT-5 wiring.

The next best item is to ensure all traffic between machines is secured using kerberos in addition to the encryption provided by the wireless router. This can be done with group policy settings on windows domains.

Whatever you do, don't natively trust any machine that is able to authenticate against your router.

Good defense is layered, so there won't be one guide to rule them all. For wireless in particular, you might want to take a look at DISA's implementation guides. You'll want to include other technologies for enpoint authentication, etc., but this is a good start.

On the assumption that this is a Wireless Router for a Home or Small Business I would have to recommend the following:

As a general rule change anything that is default on the router including but no limited to the SSID, and the web interface.

You should use WPA2 with AES encryption only and a strong key with alphanumeric password containing more than 8 characters. You do not need a 63 character password to secure your home network.

Use Wireless Mac Filtering to only allow permitted wireless devices to connect to the network. This information is referred to as the physical address or the MAC address and can be found on a windows machine by typing ipconfig /all from the command prompt.

If your wireless router supports it you should limit your range to within the confines of your property to reduce the area in which a hacker could position him or her self.